From 47ed195fc70ea43b8d3d68034303121e8bbfc2fe Mon Sep 17 00:00:00 2001 From: kyleboyer Date: Thu, 7 Aug 2025 10:22:51 -0500 Subject: [PATCH 1/4] Fix: form-data vulnerability --- package-lock.json | 88 +++++++---------------------------------------- package.json | 4 +-- 2 files changed, 14 insertions(+), 78 deletions(-) diff --git a/package-lock.json b/package-lock.json index 69a4d237494..fc6914ce581 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "plotly.js", - "version": "3.1.0-rc.1", + "version": "3.1.0-rc.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "plotly.js", - "version": "3.1.0-rc.1", + "version": "3.1.0-rc.2", "license": "MIT", "dependencies": { "@plotly/d3": "3.8.2", @@ -89,7 +89,7 @@ "into-stream": "^6.0.0", "jasmine": "3.5.0", "jasmine-core": "3.5.0", - "jsdom": "^26.0.0", + "jsdom": "^26.1.0", "karma": "^6.4.2", "karma-chrome-launcher": "^3.2.0", "karma-esbuild": "^2.3.0", @@ -2101,13 +2101,6 @@ "node": ">=18" } }, - "node_modules/asynckit": { - "version": "0.4.0", - "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", - "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==", - "dev": true, - "license": "MIT" - }, "node_modules/available-typed-arrays": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.6.tgz", @@ -2851,19 +2844,6 @@ "node": ">=0.1.90" } }, - "node_modules/combined-stream": { - "version": "1.0.8", - "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", - "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", - "dev": true, - "license": "MIT", - "dependencies": { - "delayed-stream": "~1.0.0" - }, - "engines": { - "node": ">= 0.8" - } - }, "node_modules/commander": { "version": "2.20.3", "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz", @@ -3331,9 +3311,9 @@ } }, "node_modules/decimal.js": { - "version": "10.4.3", - "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.4.3.tgz", - "integrity": "sha512-VBBaLc1MgL5XpzgIP7ny5Z6Nx3UrRkIViUkPUdtl9aya5amy3De1gsUUSB1g3+3sExYNjCAsAznmukyxCb1GRA==", + "version": "10.6.0", + "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz", + "integrity": "sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==", "dev": true }, "node_modules/decompress-response": { @@ -3460,16 +3440,6 @@ "resolved": "https://registry.npmjs.org/defined/-/defined-1.0.0.tgz", "integrity": "sha1-yY2bzvdWdBiOEQlpFRGZ45sfppM=" }, - "node_modules/delayed-stream": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", - "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.4.0" - } - }, "node_modules/depd": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", @@ -4066,22 +4036,6 @@ "node": ">= 0.4" } }, - "node_modules/es-set-tostringtag": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz", - "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==", - "dev": true, - "license": "MIT", - "dependencies": { - "es-errors": "^1.3.0", - "get-intrinsic": "^1.2.6", - "has-tostringtag": "^1.0.2", - "hasown": "^2.0.2" - }, - "engines": { - "node": ">= 0.4" - } - }, "node_modules/es5-ext": { "version": "0.10.63", "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.63.tgz", @@ -4707,22 +4661,6 @@ "url": "https://github.com/sponsors/isaacs" } }, - "node_modules/form-data": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.2.tgz", - "integrity": "sha512-hGfm/slu0ZabnNt4oaRZ6uREyfCj6P4fT/n6A1rGV+Z0VdGXjfOhVUpkn6qVQONHGIFwmveGXyDs75+nr6FM8w==", - "dev": true, - "license": "MIT", - "dependencies": { - "asynckit": "^0.4.0", - "combined-stream": "^1.0.8", - "es-set-tostringtag": "^2.1.0", - "mime-types": "^2.1.12" - }, - "engines": { - "node": ">= 6" - } - }, "node_modules/from2": { "version": "2.3.0", "resolved": "https://registry.npmjs.org/from2/-/from2-2.3.0.tgz", @@ -6362,16 +6300,14 @@ } }, "node_modules/jsdom": { - "version": "26.0.0", - "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-26.0.0.tgz", - "integrity": "sha512-BZYDGVAIriBWTpIxYzrXjv3E/4u8+/pSG5bQdIYCbNCGOvsPkDQfTVLAIXAf9ETdCpduCVTkDe2NNZ8NIwUVzw==", + "version": "26.1.0", + "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-26.1.0.tgz", + "integrity": "sha512-Cvc9WUhxSMEo4McES3P7oK3QaXldCfNWp7pl2NNeiIFlCoLr3kfq9kb1fxftiwk1FLV7CvpvDfonxtzUDeSOPg==", "dev": true, - "license": "MIT", "dependencies": { "cssstyle": "^4.2.1", "data-urls": "^5.0.0", - "decimal.js": "^10.4.3", - "form-data": "^4.0.1", + "decimal.js": "^10.5.0", "html-encoding-sniffer": "^4.0.0", "http-proxy-agent": "^7.0.2", "https-proxy-agent": "^7.0.6", @@ -6381,12 +6317,12 @@ "rrweb-cssom": "^0.8.0", "saxes": "^6.0.0", "symbol-tree": "^3.2.4", - "tough-cookie": "^5.0.0", + "tough-cookie": "^5.1.1", "w3c-xmlserializer": "^5.0.0", "webidl-conversions": "^7.0.0", "whatwg-encoding": "^3.1.1", "whatwg-mimetype": "^4.0.0", - "whatwg-url": "^14.1.0", + "whatwg-url": "^14.1.1", "ws": "^8.18.0", "xml-name-validator": "^5.0.0" }, diff --git a/package.json b/package.json index 2ca45d1e63c..a18fb2c9fbc 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "plotly.js", - "version": "3.1.0-rc.1", + "version": "3.1.0-rc.2", "description": "The open source javascript graphing library that powers plotly", "license": "MIT", "main": "./lib/index.js", @@ -147,7 +147,7 @@ "into-stream": "^6.0.0", "jasmine": "3.5.0", "jasmine-core": "3.5.0", - "jsdom": "^26.0.0", + "jsdom": "^26.1.0", "karma": "^6.4.2", "karma-chrome-launcher": "^3.2.0", "karma-esbuild": "^2.3.0", From 3f78681dcd6cebb1334b6f5483d543c072ff6484 Mon Sep 17 00:00:00 2001 From: kyleboyer Date: Thu, 7 Aug 2025 10:29:36 -0500 Subject: [PATCH 2/4] Added draftlog --- draftlogs/7511_fix.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 draftlogs/7511_fix.md diff --git a/draftlogs/7511_fix.md b/draftlogs/7511_fix.md new file mode 100644 index 00000000000..19c575de91f --- /dev/null +++ b/draftlogs/7511_fix.md @@ -0,0 +1 @@ +Removed `form-data` nested dependency associated with [CVE-2025-7783](https://github.com/advisories/GHSA-fjxv-7rqg-78g4) [[#7511](https://github.com/plotly/plotly.js/pull/7511)], with thanks to @KyleBoyer for the contribution! From b91db523f914135f5e13333d8f3a2f7f90b2095d Mon Sep 17 00:00:00 2001 From: kyleboyer Date: Thu, 7 Aug 2025 10:46:37 -0500 Subject: [PATCH 3/4] Whitespace change to trigger CI --- package.json | 1 + 1 file changed, 1 insertion(+) diff --git a/package.json b/package.json index a18fb2c9fbc..9de1a4d8618 100644 --- a/package.json +++ b/package.json @@ -183,3 +183,4 @@ } } } + From 27c17b386e1945363f3389410201ede061f7bde7 Mon Sep 17 00:00:00 2001 From: kyleboyer Date: Thu, 7 Aug 2025 10:46:40 -0500 Subject: [PATCH 4/4] Whitespace change to trigger CI --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index 9de1a4d8618..a18fb2c9fbc 100644 --- a/package.json +++ b/package.json @@ -183,4 +183,3 @@ } } } -